[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cobalt-users
Subject:    RE: [cobalt-users] Menuconf
From:       "Andy Brown" <andy.brown () interv8 ! co ! uk>
Date:       2002-10-31 10:59:04
[Download RAW message or body]

<snip>
> > > Pardon my ignorance, but I just ran top on my RaQ2 and saw 
> something
> called
> > > "menuconf" running and eating up a lot of my cpu.  I've 
> never seen this
> 
> > You or one of your users must have accidentally placed that 
> file there. It
> > won't affect your RaQ2 because it can't run there. It's 
> part of DOS that
> > will only run with COMMAND.COM available on an INTEL 
> architecture. You
> have
> > MIPS machine with Linux.
> 
> Since it is showing up in TOP, then it means it's running and 
> its a valid
> Linux binary and nothing like a DOS command. What I feel is 
> that it might be
> something related to the LCD menu for the Cobalt RAQs. Please 
> check whether
> someone had kept the RaQ's menu in ON state. If this is the 
> case then most
> probably that might be the reason for it taking high CPU as 
> might be waiting
> for the user input. In that case just close the menu and thats it.
</snip>

From what I recall there are no 'menuconf' programs on any of the RaQ's, so i'd be \
wary of this process to a degree. This could be a backdoor process running, so i'd \
first find out what ownership its running under by doing: ps ux
and see if its running under root or another user. If its by root, then its either: a \
root admin ran the process, the cobalt itself ran the process, a malicious user \
gained root and ran it. Then do a
netstat -anp
and look to see if the process is listening/communicating on a port, if so make a \
note of the port number tcp/udp, etc so you can do some web searches. If it is \
listening/communicating on a port then I'd be a lot more suspicious of it, AFAIK no \
cobalt processes (apart from the obvious, httpd, sendmail, etc) should \
listen/establish communication ports.

kill -9 the process, and track down the binary using find
Hopefully its an innocent user, but may be worth doing some chkrootkit checks aswell \
just to be safe.

Regards,

Andy
andy@raqpak.com
http://www.raqpak.com  <-- Unofficial FAQs and PKGs 

_____________________________________
cobalt-users mailing list
cobalt-users@list.cobalt.com
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic